General

  • Target

    c9932c2b1605ba7f1631142db258d257_JaffaCakes118

  • Size

    228KB

  • Sample

    240829-y8m6ss1gjq

  • MD5

    c9932c2b1605ba7f1631142db258d257

  • SHA1

    5f266ed4700369a7222884998b0663fb61fe7325

  • SHA256

    27181dc7667f214becd2f0debb67ff3cc328d074409f0c89b8663172d7aa9d1c

  • SHA512

    f6f612ef2feb4c333dc5922bdd5993ad1c0f3e9cbc5d98064c9e5107a9c607e9772d48c93a69f210872b12567860de4e19a08e6e0043f2104ab9581471169a70

  • SSDEEP

    768:iXzsX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVp:iDF2PX2uCUtT9DlkBRDPsBcs0WpgX6

Malware Config

Targets

    • Target

      c9932c2b1605ba7f1631142db258d257_JaffaCakes118

    • Size

      228KB

    • MD5

      c9932c2b1605ba7f1631142db258d257

    • SHA1

      5f266ed4700369a7222884998b0663fb61fe7325

    • SHA256

      27181dc7667f214becd2f0debb67ff3cc328d074409f0c89b8663172d7aa9d1c

    • SHA512

      f6f612ef2feb4c333dc5922bdd5993ad1c0f3e9cbc5d98064c9e5107a9c607e9772d48c93a69f210872b12567860de4e19a08e6e0043f2104ab9581471169a70

    • SSDEEP

      768:iXzsX7m2PX2uC3P1UtKzlJsEqDlEVBRDKwsB9nMZnANQ1N/4U7rYxamg46MVp:iDF2PX2uCUtT9DlkBRDPsBcs0WpgX6

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Modifies WinLogon

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks